• No results found

How to share secrets simultaneously

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "How to share secrets simultaneously"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

How to share secrets simultaneously

aszl´

o Csirmaz

Central European University, Budapest R´enyi Institute, Budapest

Abstract

Each member of a team consisting ofnperson has a secret. Thekout of n simultaneous threshold secret sharingrequires that any group of k members should be able to recover the secret of the othern−kmembers, while any group of k−1 or less members should have no information on the secret of other team members. We show that when all secrets are independent and have sizes then each team member must receive a share of size at least (n−k)s, and we present a scheme which achieves this bound. This result shows a significant saving over n independent applications of thekout ofn−1 threshold schemes which assigns shares of size (n−1)sto each team member independently ofk.

Keywords: simultaneous secret sharing; complexity; threshold scheme; secret sharing; interpolation.

MSC numbers: 94A62, 90C25, 05B35.

1

Introduction

A team has nmembers, and each member of the team has a secret about the same size, say a password. As a safety caution, they want each secret to be distributed among the other members of the group so that it could be recovered in the case any of them forgets it. Also, none of them trusts the others, thus they want their secret to be independent of the information held by any group

n−1 or less team members. This goal can be achieved by distributing all secrets using Shamir’sn−1 out ofn−1 threshold secret sharing method, see [3]. Assuming that all secrets have the same size s bit, the total size of the shares each team member receives will be (n−1)stimes the secret size. This holds as in any perfect secret sharing scheme, any share size is at least as large as that of the secret, see [1]. Can we do better if the secrets are distributed not independently but simultaneously? We show that the answer isyes: there is a way to distribute the secrets so that

This research was partially supported by the “Lend¨ulet Program” of the Hungarian

(2)

1. every team member receives ansbit share;

2. any member’s secret can be recovered using the sharesandthe secrets of the othern−1 members;

3. even putting together all informationn−2 team members received during the distribution phase, they will have no information on the secret of the other two team members.

We also show that in all schemes satisfying properties 2. and 3. above the size of every share must be at leasts, thus our scheme isoptimal.

The problem sketched above is a special case of thek out ofnsimultaneous secret sharing. The team hasnmembers as above, and each of them has a secret. In this case we require that any participant’s secret should be recoverable by anyk out of the remainingn−1 participants, while no k−1 or less coalition should have any information on the other members’ secrets.

Theorem 1 a) Suppose each secret has the same size s, and the secrets are totally independent (knowing some of them does not help guessing the others beyond guessing them randomly and independently). Then any scheme realizing

kout of nsimultaneous secret sharing assigns shares of size at least (n−k)s. b) There is anoptimalkout ofnsimultaneous secret sharing scheme which assigns(n−k)ssize shares.

In Section 2 we prove part a) of this theorem, while in Section 3 we present an optimalkout ofnsimultaneous secret sharing scheme proving part b). An interesting property of the presented scheme is that the recovery of a secret can be done in such a way that repeating it not more thann−ktimes the unaffected secrets are not compromised, i.e., they are (statistically) independent from all published information.

2

Lower bound

To prove the lower bound we use the so-called entropy method, see [1, 2]. First of all, we consider the secrets and shares as random variables. The size of the secretξp belonging to participantpis its Shannon entropy H(ξp), which is

roughly the number of necessary bits to defined the value of ξp uniquely. For

any collection{ξi:i∈I}of random variables we define the real-valued function

f(I) =H({ξi:i∈I})

where the entropy is taken for the joint distribution of all indicated variables. For example, ifpis (the index of) any of the secrets, thenf({p}) is thesizeof the secretξp, and similarly for shares.

(3)

Claim 2 For any subsetsX andY

1. f(X)≥0 (positivity),

2. f(X)≤f(Y)ifX ⊆Y (monotonicity), 3. f(X) +f(Y)≥f(XY)(additivity),

4. f(XY) =f(X)if (the variables in)X determines the values of (the vari-ables in)Y;

5. f(XY) =f(X) +f(Y)if X andY are statistically independent.

The entropy method can be rephrased in a few words as follows. Let A

be the (index) of any share. Suppose forany function f satisfying properties enlisted in Claim 2 there are (indices)a1,. . ., a` of secrets such that

f(A)≥f(a1) +· · ·f(a`).

The the size of shareAmust be at least` times the size of the secrets.

Lemma 3 Suppose G is a group of participant with k−1 members, and a, ¯b=hb1, . . . , bn

−kiare the secrets of participants not in Gand their share areA

andB¯ =hB1, . . . , Bn−ki, respectively. Then

f(a) +f(A)≥f(a¯b).

Proof Let us denote the total data (secret plus share) held byGbyGas well. By assumption, Gtogether with a and A should determine all the secrets bi,

that isf(aAG) =f(a¯bAG). Also,Gshould have no information on the secrets

a and bi or on their combinations, thus f(a¯bG) = f(a¯b) +f(G). Using these

and the additivity and monotonicity property off, we have

f(a) +f(A) +f(G)≥f(aAG) =f(a¯bAG)≥f(a¯bG) =f(a¯b) +f(G).

Comparing the first and last tag gives the claim of the Lemma.

From this lemma we can deduct a lower bound on the size of the share each participant receives.

Proof (of part a) of Theorem 1) Use notations from Lemma 3, in particular letaandArespectively be the secret and the share of participanta. All secrets have the same size, thus

f(a) =f(b1) =· · ·=f(bn−k).

Secrets are totally independent by assumption, which means

f(a¯b) =f(ab1. . . bn−k) =f(a) +f(b1) +· · ·+f(bn−k) = (n−k+ 1)f(a).

From Lemma 3 we know thatf(A)≥f(a¯b)−f(a) = (n−k)f(a), which proves

(4)

3

An optimal construction

In the rest of this paper we give a construction which matches the bound in part a) of Theorem 1. Let us denote the participants bypi for 1≤i≤n, and letF

be a finite field with more than n(n−k+ 1) elements. Choose different field elementsxi,j for 1≤i≤n and 0≤j ≤n−k, and pick a random polynomial

r(x) of degree less thank(n−k+ 1).

Thesecret of participant pi will be the value ofr at xi,0. This can also be achieved by simply choosingrfrom among those polynomials which satisfy the condition thatr(xi,0) is the secret ofpi. As for the share, we give participant

pi all field elementsr(xi,1) up tor(xi,n−k). Observe that all secrets are uniform

random elements from the field, thus the “size” of all secrets are the same, namelylog2(|F|). Similarly, all participants received (n−k) field elements as

share, therefore the size of the share is exactly (n−k) times that of the secret. We claim that any k participants can determine the secret value of the remainingn−kparticipants. This is clear, as thekparticipants know the value ofr atk(n−k+ 1) different places, whilerhas smaller degree, thus they can determiner, and its value atxp,0for any participantp.

Next, we claim that the total information ofk−1 participants is statistically independent of the secrets of the othern−k+ 1 participants. This is true asris a random polynomial of degree belowk(n−k+ 1), andk−1 participants know the value of this polynomial at (k−1)(n−k+ 1) places, thus the polynomial can take all the possibilities with equal probability at anyn−k+ 1 predetermined places – in particular atxp,0wherepruns over the missingn−k+1 participants.

The method outlined above to recover one of the secrets has the drawback that it not only recovers the secret but it also recovers the polynomialr, conse-quently all the secrets are also revealed. The participants, however, should only recover the value ofr at xp,0 and not the whole r. LetB ⊆ {1, . . . , n} be the subset of sizek which wants to recover the secret ofp /∈B. As the values xi,j

are public, members ofB can publicly compute the constantsλi,j∈Fusing the

Lagrange interpolation formula such that

r(xp,0= X

i∈B n−k X

j=0

λi,jr(xi,j)

whatever the valuesr(xi,j) are. Consequently to recoverp’s secret, participant

i∈B should only publish the sum

n−k X

j=0

λi,jr(xi,j) (1)

rather than all the valuesr(xi,j). The sum of published values (1) will give the

(5)

References

[1] R. M. Capocelli, A. De Santis, L. Gargano, U. Vaccaro: On the size of shares of secret sharing schemes, J. Cryptology, vol 6(3) (1993), pp. 157–168

[2] L. Csirmaz: Secret sharing schemes on graphs, Studia Sci. Math. Hun-gar., vol 44(2007) pp. 297–306 – available as IACR preprint http:// eprint.iacr.org/2005/059

References

Download now ( PDF - 5 Page - 133.44 KB )

Related documents